Jump to content

malwarebytes is hanging up during heuristic scan


alfmuc

Recommended Posts

malwarebytes is hanging up on my computer during heuristic scan with the extreme high numbers more then 80000 hits. All other scans run without problems.

I followed the instructions from the forum: run in protected mode, made a checkdiisc for all HD´s and defragmented all harddiscc´s. nothing changed.

When I stopped the scan manually at the first hits I became strange results in the log. Here an short clipping:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Suchlauf Datum: 11.09.2014
Suchlauf-Zeit: 12:34:54
Logdatei: malwarebytes log.txt
Administrator: Ja

Version: 2.00.2.1012
Malware Datenbank: v2014.09.11.02
Rootkit Datenbank: v2014.09.10.02
Lizenz: Premium
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Self-protection: Aktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: Admin

Suchlauf-Art: Benutzerdefinierter Suchlauf
Ergebnis: Abgebrochen
Durchsuchte Objekte: 520206
Verstrichene Zeit: 9 Min, 26 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristics: Deaktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registrierungsschlüssel: 0
(No malicious items detected)

Registrierungswerte: 0
(No malicious items detected)

Registrierungsdaten: 0
(No malicious items detected)

Ordner: 197
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin, , [fd03a24a6219d0665906ab3f9e64a759],
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin\administration, , [fd03a24a6219d0665906ab3f9e64a759],
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin\administration\drucker testdateien, , [fd03a24a6219d0665906ab3f9e64a759],
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin\administration\firefox lesezeichen, , [fd03a24a6219d0665906ab3f9e64a759],
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin\administration\fonts, , [fd03a24a6219d0665906ab3f9e64a759],
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin\administration\handbücher, , [fd03a24a6219d0665906ab3f9e64a759],
PUP.Optional.SettingsManager.A, d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\admin\administration\nexus7, , [fd03a24a6219d0665906ab3f9e64a759],

 

 

 

the folder: d:\daten\benutzerdaten\\admin\appdata\roaming\settings manager\ 

 

does not exist on my computer.

The same error does also occure when I exclude the whole harddrive d: manual by userdefined scan. Preceding was a downgrade of my raid2-array d: with a following rebuild. Could it be that the quarantine was partly destroyed by this and tha malwarebytes is noe interpreting tis as an infection? Where does malwarebyte gets this data from? I tryed to remove this stuff by stopping the scan  manually at about 1700 hits, let the files move to quarantine and delete them. I did this 10 times; this should reduce the number of remaining hits by 17000 but it didn´t.

 

I disabled the following options: move detectet objects automatically to quarantine, scan archives, scan for rootkits, use shuriken engine, protect of malware, protect of malious websites, handle PUP as malware, handle PUM as malware, send notify on hits and send protokoll. Whithout result.

 

When I let run the scan without disturb, the heuristic scan is terminated and grenn sign for finished appears, but the window with the result and pushbutton for to move it to quarantine does not appear and when click any element, malwarebytes crashes.

 

When stop scan manually just to begin (less than about 2000 hits) everything seems to be normal. But the actions done do not have any effect to the remaining number of hits.

 

When stop scan after about 2000 hits, malwarebytes crashes.

 

I beleave It is a problem with a corrupted quarantine, but advanced setup refrred me to You.

 

 

hoping for Your help

alfmuc

Link to post
Share on other sites

Hello gringo_pr,

 

Yes I need your help, the problem still exist.

 

What I did the since my last post:

 

I reinstalled mbam with the mbam clean removal Instruction from the forum. No effect.

 

I ran adwcleaner and deleted all detected items. This two items could not deleted:

                                      D:\Daten\Benutzerdaten\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k1sh5eqr.default\prefs.js
                                      D:\Daten\Benutzerdaten\Alfred\AppData\Roaming\Mozilla\Firefox\Profiles\ws1sp1md.default\prefs.js

 

I deleted the firefox folder in the AppData path for to create a new, clean profile. adwcleaner detected this two files in the new profile. But I think for the moment this is a minor problen.

 

I made a complete backup so that I can try now some risky things without loosing data.

 

I added the logfile from a manual stopped scan. From hangedup scans I did not get a log.

 

best regards,

 

alfmuc

Malwarebytes-log.txt

Link to post
Share on other sites

  • Staff

Hello alfmuc

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
Link to post
Share on other sites

  • Staff

Hello alfmuc

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Hello Gringo,

 

I started the Two Programs and they worked without Problem. Adwarecleaner could not remove this two items:

             D:\Daten\Benutzerdaten\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k1sh5eqr.default\prefs.js
             D:\Daten\Benutzerdaten\Alfred\AppData\Roaming\Mozilla\Firefox\Profiles\ws1sp1md.default\prefs.js

 

mbam is doing just the same.

 

mfg alfmuc

AdwCleanerS0.txt

JRT.txt

Link to post
Share on other sites

  • Staff

Hello alfmuc

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

Hello Gringo,

 

because I have a backupadmin account that does not use my normal data-drive I tryed what will happen when I start mbam from this account and rename some files and folders.

Following happend when I renamed the folder D:\daten\benutzerdaten\admin, mbam scanned without problems and without detections. When I only renamed the subfolders and files in this directory mbam deteczed more than 100.000 items and hanged up. The depending logs with my remarks and the content of the folders are attached.

 

mfg alfmuc

dir_admin.txt

dir_admin_appdata_local.txt

dir_admin_appdata_roaming.txt

MBlog_a.txt

MBlog_b.txt

MBlog_c.txt

MBlog_d.txt

MBlog_e.txt

Link to post
Share on other sites

  • Staff

Hello alfmuc

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
Link to post
Share on other sites

Hello Gringo,

 

I tryed the new Beta. It crashes during heuristic scan and it works very slow after it detected the first item. Crashpoint was: 538.537 objects, 10043 detected items, 9:45:05 scantime. I rebooted the computer, started mbam new and stopped it manual. The display of the process-tab/quarantine contense seems to be very strange. I think this cannot be a real parh, It looks more like a archive-bomb. I don´t have a possibility to make an text-export. So I made a screenshot and atteche it. I think it´s not a good Idea to attache the contense of the quarantine to my reply. I did not delete the quarantine so that I can upload the files if want,

.

 

mfg alfmuc

post-173062-0-57300700-1412757733_thumb.

Link to post
Share on other sites

  • Staff

Hello

I would like to try reinstalling Malwarebytes Antimalware at this time.

To completely remove Malwarebytes Antimalware you will first need you will need to uninstall it from the control panel in (XP) add/remove and in (Vista and later) program and features

Then I want you to run our cleanup tool that will remove any traces that is left over. - please run this twice to be sure it has been cleaned. <- very important

xxxx link removed xxxx

Then install the new version again

Gringo

 

 

Post updated [02/12/2021 - AdvancedSetup]

The following MBST tool should be used to perform a clean removal and reinstall

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Staff

Greetings

I would like you to run the scan in safe mode and let me know if it does the same thing

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.

Wait 30 seconds, and then turn the computer on.

Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.

Ensure that the Safe Mode option is selected.

Press Enter. The computer then begins to start in Safe mode.

Login on your usual account.

Gringo

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.